1.   Objective

The objective of this section is to enable you to conduct and document a DPIA (Data Protection Impact Assessment) or PIA (Privacy Impact Assessment).


Here is a short video about the DPIA/PIA

Although this particular video is about the DPIA in Singapore, the same module can be used for other jurisdictions as a systematic format is used that can be applied to many jurisdictions. 

The selection droplists and the report formats will automatically change based on the jurisdiction settings. 

For jurisdictions without a mandatory DPIA/PIA requirement, or where the account does not have a specific jurisdictthe report will be based on the ISO/IEC 29134:2023(en) standard.



2.   Overview 

To begin, click 'Manage DPIA / PIA'.


    You will be brought to the DPIA / Projects page.



PROJECT DETAILS

 

3.   Create a new DPIA/PIA Project 

  1. Click the '+ New Entry' button and enter a DPIA/PIA Name as well as the Department conducting it. Click 'Save'. 
  2. You will be presented with all the steps needed to conduct the DPIA/PIA.





4.   Project Details 

  1. Enter the Project Details such as 
    • Project Name
    • Purpose of Project 
    • Expected Benefits
    • Process(es) involved - from Process Inventory
    • Type of Processing involved (click one or more as applicable) 
    • Additional details 
  2. Click 'Save'. The system will display a confirmation message. 


5.   Need for DPIA/PIA

This section may also be called a Threshold Analysis as it will, based on the Project Details, assess if a DPIA/PIA is needed. 

The Threshold Analysis will suggest whether a DPIA / PIA is needed, and why.  



---------------------------

---------------------------


6.   Plan

Document your Plan in this section, including the:

  • Nature, Scope, Context and Purposes of Processing  
  • Reason for Processing
  • Parties involved in the Project
  • Target Date of implementation of the Project
  • If the Threshold Analysis indicated that it is necessary to perform a DPIA/PIA and you have made a decision not to proceed, document your reason 
    Click 'Save'.





PERSONAL DATA FLOW


7.  Ensure the Process Data Mapping has been completed for the Processes involved in this DPIA/PIA. 



8.   Personal Data Flow Summary

The system will summarise the personal data and flows involved in this DPIA/PIA.



---------------------------

---------------------------




RISK ASSESSMENT 



9.  DP Principles

     The system will generate the summarise the The Data Privacy Principles / Considerations Dashboard.

It displays the Data Privacy Principles that are fulfilled or unfulfilled based on the inputs for  Data Mapping for processes in your project. 

Use 'Files' and 'URL Links' to provide evidence where appropriate.



The system will generate the summarise the The Data Privacy Principles Dashboard.

  • It displays the Data Privacy Principles that are fulfilled or unfulfilled based on the inputs for  Data Mapping for processes in your project. 


Viewing the details based on the 'light' indicator for DP Principles

  • Click on a ‘light’ to view the underlying information
  • Click on the underlying information and the system will navigate you to the specific record




You can then attach file, specify URL Links, or add comments as supporting evidence. 



10. Files (Evidence)

     Upload Files to provide supporting evidence where appropriate.


11. URL Links (Evidence)

      Insert URL links to provide supporting evidence where appropriate.



12. Risks and Controls

  • The purpose of this section is to conduct Risk Identification and Assessment for the project undergoing the DPIA/PIA
  • Enter the Risk and click the '+ Add' button'


  • Assess the Inherent Impact and Probability of such a Risk occurring  

  • Select the Impact Rating. Enter the Remarks to justify the Impact Rating, or any other files/links to support the rating. 


  • Refresh the page to view the computed Inherent Risk Score. At this point, we can see that there are no Controls in Place (0 out of 0 are implemented)



  • Click 'Read More...'. From this page, you can identify the Risk Treatment that will be done to mitigate the risks by Avoidance, Acceptance, Reduction or Transfer.  



  • Click '+ New Treatment'. The system will present a form to specify the Risk Treatment 
  • Enter  the following then click 'Save'
    • Treatment Name
    • Controls/ Policies/ Measures (drop-list) 
    • Status (Treat, Control or Reduce, etc.)
    • Description (optional)
  • Once you have  updated one or more Risk Treatments, you will see the treatment displayed on the screen






   

REVIEW 


This purpose of this section is to conduct a review and risk assessment of the project undergoing the DPIA/PIA. 


13. Owner's Evaluation

      The project owner then fills in 'Project Owner's Evaluation' based on the risk assessment of the project. 


14. Submit for Review

      Click the '+' sign, set the . Task, the user who will review the DPIA/PIA,  Dates and Reminders if any .



15. Reviewer's Decision

  •   The reviewer fills his or her decision regarding whether the Project should proceed. 
  •   Field examined include: DP Principles, Risks to the Individual, Other Feedback received  this DPIA/PIA, the Opnion of the DPO. 
  •  The Reviewer's Decision, review date and Reviewer will be updated 




16. Final Report

     Click 'FInal Report' and wait for he  system to generate the relevant information



IMPLEMENTATION 


This purpose of this section is to conduct a review and risk assessment of the project undergoing the DPIA/PIA. 


17. Follow-up Guide

  • Once the risks and controls have been identified for a DPIA/PIA, there must be a systematic way of ensuring that all actions are taken to close off any gaps before project implementation.


18. Tasks

  • Add any tasks here that need to be followed up.
  • For example, the DPO may request that certain changes be made to strengthen data protection measures


19. Audit

  •     Document any audit findings  here